Hacker blackmail - when paying the ransom is a smart move

Diane King

The recent worldwide Wannacry computer virus outbreak, which saw NHS computers around the UK infected with ransomware, has led to much debate about how to deal with demands from cyberattackers.

The moral dilemma presented - meeting the demands of criminals versus preserving the reputation of the business concerned (to say nothing of keeping safe the public’s data) - is a massive decision.

One cybersecurity expert - Robert O'Brien, CEO of MetaCompliance - argues that in some cases, the hacker’s demands may have to be met.

“Paying the ransom may be the only smart move when a business is faced with hacker blackmail.

“From an information security point of view, it boils down to adequate risk assessment. If paying the ransom ensures the avoidance of potentially business-ending consequences - such as those experienced by the Grozio Chirurgija clinic in Lithuania - then paying up may be the only choice.

“Adequately assessing the risk in advance of any attack and tightening security accordingly is, of course, the best form of defence. However, when systems are breached then damage limitation, cost-efficiency and business survival must become the priorities.

For the Grozio Chirurgija clinic, meeting the cyber criminals’ original demand for €344,000 will now seem but a drop in the ocean compared to what the business stands to lose following the theft of patient data including revealing images, passport details and credit card information.

“There will quite rightly be outrage among the patients featured in 25,000 ‘before and after surgery’ photographs posted online.

“Patients from Denmark, Germany, Norway and the UK have received ransom demands of up to €2,000 euro to safeguard their privacy. It’s fair to assume that many of them will pay up to keep their secrets secure. It seems equally fair to assume that a string of costly legal actions against the clinic will already be underway.

“A key lesson to learn from this is that playing hard ball with cyber criminals or simply failing to grasp their modus operandi can be fatal for businesses.

“It is hard to fathom how the clinic would not consider paying the ransom or at least negotiating a reduced fee with the criminals, given the prospects.

“Carrying out a simple risk assessment would have easily identified the catastrophic potential for the business of the stolen information being released on the dark web. And although the safeguarding of information cannot be guaranteed by ransom payment, the track record of international cyber criminals would indicate that they operate on something of an honour system - living up to their side of the deal. After all, they want to stay in business too.

“It’s somewhat surprising that a company, which holds such very sensitive patient data and images, would not at least engage with those making the threat. It would appear that the firm didn’t fully understand or take seriously the risk faced. Given the information stolen they should have done everything in their power not to betray the trust of their patients. That would mean setting principals and pre-conceptions on ransom demands aside and simply paying up.

“Companies holding data of a private and sensitive nature have an extra responsibility to employ the highest levels of security.

“In this case it would appear the company was an easy target with the hackers labelling the ransom as a "small penalty fee" for having vulnerable computer systems. That is a common thread in cyber crime stories.

“Risk is a concept widely considered in IT and more business leaders are taking notice of that. However, not near enough are giving the issue the serious consideration it deserves.

“Recent research undertaken by the Institute of Directors and Barclays revealed there are still gaping holes in many companies’ cyber security plans. One of the main findings suggested that 94% of firms in the UK believe IT security is important but only 56% have a strategy in place to deal with cyber attacks.

“Addressing vulnerable systems and educating people in the workplace on cyber security are key steps to take. Securing company data by storing in multiple location is also essential to minimise risk from cyber criminals.

“However, when a breach occurs and the criminals come calling, the only option may be to listen carefully to their demands and make the best move for the survival of your business.”

Robert O’Brien is CEO of MetaCompliance a global Information Security and Compliance software vendor